This article is in the continuation of the post covering security issues in DeFi. Here we will explore some more DeFi hacks and ways on how new DeFi projects can avoid these security issues. Maker Hack: On 12th Mar 2020, Maker platform incurred over $8M in debt as some of its loans were liquidated for free. The uncertainty around the coronavirus and the erupting oil price war culminated in a severe downturn in capital markets. It resulted in an outright collapse of crypto markets on March 12-13. Transactional activity exploded on the Ethereum blockchain causing network congestion and transaction delays. Many collateral values on loans on the Maker platform went below thresholds making them undercollateralized. It was because users suffered delays in an attempt to add more collateral. This allows liquidators to participate in an auction to liquidate the loan for some reward. 4,447 auctions were triggered. The congestion in the network throughput on Ethereum caused many liquidators to stop working. The remaining liquidators eventually ran out of Dai liquidity and could not bid until several hours later when it sourced more Dai. Consequently, there was no competition for the auctions. A subset of those auctions won by bidders who submitted bids decimal points above zero (“zero bidders” submitting “zero bids”). Keepers eventually found liquidity, increased their capacity, and navigated the congestion to successfully challenge later zero bids, which restored a competitive auction space. The zero-bid events of March 12-13 led to a collateral auction shortfall amounting to approximately 5.4M+ Dai. Balancer Hack: DeFi liquidity provider, Balancer Pool fell victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $5,00,000 worth of tokens. the attacker had borrowed $23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model and burns 1% of its value every time it’s traded. The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade completed. the attacker performed the same attack using WBTC, LINK, and SNX, all against Statera tokens. According to an analysis by 1inch, The person behind this attack was a very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. Eminence Finance: On 29 Sep 2020, a single tweet caused shock within the DeFi community and ultimately led to a $15M rug pull. The developers conducted a “test in prod” experiment for Eminence Finance, an NFT gaming ecosystem. A hacker exploited it to steal $15M after traders rushed to farm EMN. A tweet by Andre Cronje, the founder of Yearn Finance, led the traders to find the contracts and flood into the protocol, hoping to get in early on the next YFI. A savvy hacker used a flash loan to drain the pool of all its funds which had not been properly tested and secured. He used the flash loan to mint EMN on a tight bonding curve to increase the price. For every EMN minted, the price would increase incrementally along the curve. As the price increased, the hacker burned EMN for any of the wrapped eTokens—Eminence’s native versions of popular DeFi tokens like Aave – to cause a large supply drop and increase the token price dramatically. This gap allowed the hacker to acquire large sums of EMN and then sell the other tokens to recursively cash in DAI profits. The hack is explained by Cronje in the following tweets: 1/x First, the data; 1. Yesterday we finished the concept behind our new economy for a gaming multiverse. Eminence. As per my usual methodology, I deployed our staging contracts on ETH so we can continue developing on it. 2. Eminence is at least ~3+ weeks still away — Andre Cronje (@AndreCronjeTech) September 29, 2020 Arkopolis: The DeFi platform suffered a major security breach, hacked for $2M on Nov,12th. The funds were stolen from Akropolis’ Curve liquidity pools connected to the project. The attacker managed to execute a $50,000 exploit 40 times, netting $2 million of DAI in total. Before the attack, Akropolis underwent two security audits performed by CertiK and another unknown security group. The hacker allegedly created a flash loan to borrow funds with a fake token in the hacker’s own smart contract. As the funds were being transferred, the hacker executed another deposit using $800,000 worth of real DAI borrowed from dYdX. The fake token loan raised the balance of the liquidity pool. When the real loan was initiated, Akropolis minted the same tokens twice, allowing … Continued
The post An Analysis of Security Risks Associated with DeFi- Part 2 appeared first on Cryptoknowmics-Crypto News and Media Platform.
from Live Crypto News – Cryptoknowmics-Crypto News and Media Platform
